On Thu, 29 Sep 2022, Peter Conrad wrote:
thanks. That's definitely an improvement. But I think it's not
sufficient.
AFAICS your code uses "aliases" as in "if it's type X then it can also
be type Y". However there's also cases where a specific instance of
type X can also be type Y but not all instances of type X. For example,
the eicar.com antivirus test file is a MSDOS-executable consisting
purely of ASCII characters, so it would be valid text/plain AND
application/x-msdownload but clearly neither all text/plain's are valid
application/x-msdownload's nor vice versa so there can't be an alias
connecting the two.
Any chance you could write up a bit more about what you're trying to
achieve, and what you're trying to protect against?
It's ApacheCon next week, and we may be able to get a few of us together
in-person to brainstorm what's possible in this area
Thanks
Nick
